Hi Mbed TLS team,
I would like to ask whether Mbed TLS could publish security advisories in a machine-readable format, for example GitHub Security Advisories or OSV.
Security fixes are currently visible in release notes and documentation before they appear in NVD/GHSA/OSV. This creates a detection gap for automated vulnerability scanners such as Dependency-Track, because they rely
on structured advisory data with affected versions, fixed versions, and identifiers such as CPE, PURL, or Git ranges.
For example, when a security release is available, Dependency-Track may not alert until the corresponding CVE or advisory appears in one of its vulnerability data sources. This can delay automated remediation even though
a patched Mbed TLS version is already released.
Would the project consider publishing machine-readable advisories at release time, or is there already a preferred process for this?
Thanks!
Nils Schlegelmilch
Development
Phone +49 7836 50-9883
E-Mail
n.schlegelmilch@vega.com

VEGA Grieshaber KG | Am Hohenstein 113 | 77761 Schiltach | Germany
![]()
![]()
![]()
|
Unsere Datenschutzhinweise und somit auch die Informationen gem. Art. 13 DSGVO finden Sie im Internet unter www.vega.com/datenschutz |
|